Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Network Networking Technology

The 40th Root KSK Ceremony Rescheduled (icann.org) 20

rastos1 writes: The 40th Root Key Signing Key Ceremony, originally scheduled for 12 February 2020 at 2100 UTC in El Segundo, California, is being postponed. "During routine administrative maintenance of our Key Management Facility on 11 February, we identified an equipment malfunction that will prevent us from successfully conducting the ceremony as originally scheduled. The issue disables access to one of the secure safes that contains material for the ceremony," ICANN's Kim Davies wrote.
This discussion has been archived. No new comments can be posted.

The 40th Root KSK Ceremony Rescheduled

Comments Filter:
  • so is the whole world just one lost key away from losing, say, DNS ?
    • Re:lost key (Score:5, Funny)

      by dromgodis ( 4533247 ) on Friday February 14, 2020 @10:00AM (#59728014)

      Don't worry, it is just the key to the locker where they keep the funny ceremonial hat that is missing.

    • by Anonymous Coward

      Why is this actually news.

      It might of been news if today was 11th Feb (or before) before but today is 14th so even if the event had gone ahead it would of been finished 2 days ago. The quality has dropped these days.

      Hey everyone a hot news flash, the PC Show at LAVC on Dec 12th 1998 has been postponed, so just letting you all know.

    • No. There's a complete off-site backup on the other side of the country, as well as other ways of recovering things in case everything goes sideways.

  • by wizzy403 ( 303479 ) on Friday February 14, 2020 @10:24AM (#59728080)

    As an update to yesterday’s postponement:

    Once we had ascertained we could not conduct the ceremony as originally scheduled, our first priority was to notify all impacted parties of the need to postpone. Once that was complete, we spent the evening reviewing our options with input from our expert staff and contractors.

    Today, we held a briefing with the Trusted Community Representatives to discuss the equipment failure, our proposed approach to correct the fault, and possible dates to reschedule the ceremony. It was a very useful discussion where we explored the issues and developed a plan for moving forward.

    The work to repair the malfunction is scheduled for Friday, 14 February. If this work is successfully completed on time, we expect to hold the Key Ceremony on Saturday, 15 February at 18:00 UTC. If further work is needed, we expect to know this by late Friday, and the new date for the ceremony will be announced in the upcoming weeks.

    I'd particularly like to recognize the flexibility and willingness of the TCRs, our auditors, the RZM and our staff to make this happen.

    kim
    https://mm.icann.org/pipermail... [icann.org]

  • by Tomahawk ( 1343 ) on Friday February 14, 2020 @10:25AM (#59728088) Homepage

    This is about something that was supposed to happen 2 days ago. Why does it take over 48 hours (actually almost 60 hours) for news like this to reach Slashdot?
    Slashdot used to be on the nose for stuff like this -- you'd find out about it here before almost everywhere else.

    • by rho ( 6063 )

      The moderators have to split their time between reading the story queue and the BizX Hamster Wheel of Pain.

      • by OzPeter ( 195038 )

        The moderators have to split their time between reading the story queue and the BizX Hamster Wheel of Pain.

        Are you new here? If they actually read the story queue then they'd cut down on posting dupes!

    • by rastos1 ( 601318 )

      a) because you did not submit that story into firehose. And nobody else did either.

      b) because I learned about it at about 30 hours ago and if I had posted it at that time it would get lost because it was night at east coast. My observation is that if you want to get a story upvoted in firehose, you have to pick the right time of day.

      It took at about one hour since I submitted the entry until it was published on frontpage. I personally find that reasonable.

    • by rastos1 ( 601318 )
      They got into the safe and performed the signing [icann.org]. Do you fancy submitting [slashdot.org] a story?
  • I read TFS, I read TFA, but still haven't got a clue what this entire article is about. Can someone with actual knowledge please explain the significance of all of this, and why it seems to be done every year?

    • by rdunnell ( 313839 ) on Friday February 14, 2020 @11:54AM (#59728462)

      https://www.iana.org/dnssec/ce... [iana.org]

      Here is a link. The ceremonies are performed to do any cryptographic operations which require a Root Signing Key. When you need to use such a key, you usually have to get a number of people called "key custodians" who each have independent physical access to one part of the cryptographic key, usually stored on a smart card or other secure token device. You will usually have an overall number of custodians and a certain quorum of them will need to be there for a given operation. Like, six of ten, three of seven, etc.

      They all have to get their fragment of the key (their assigned device) which is usually stored in a safe which only they have access to. Then they all need to be in the same room, usually a SCIF (think a bank vault with a data center inside it). Whatever process they run will ask for their components individually, and then once the required number of components have been entered, the system will reassemble the master crypto keys and do whatever it needs to do.

      The process is designed to make sure that fraud is very difficult and cannot happen without being detected. All the systems and physical access along the way will typically be monitored, controlled with biometrics and other secure mechanisms, and easily auditable. Any activity requires an intentional quorum of people to agree to do it, so you can't just get one guy to go do something bad.

      It is kind of like nuclear missile launching, the root of a certificate authority, the root of a financial processing crypto scheme, etc.

      In this case, sounds like something broke down and they can't get into a safe or some other secure location to retrieve key components. Usually these systems are designed to fail secure except in the case of life safety (i.e. you can get out if there's a fire, it just creates a huge audit nightmare).

      • by OzPeter ( 195038 )

        Thankyou.

      • by sjames ( 1099 )

        The ceremonies are performed to do any cryptographic operations which require a Root Signing Key. When you need to use such a key, you usually have to get a number of people called "key custodians"

        But whatever you do, do NOT cross the streams. That would be bad. Unless, of course the Stay Puft marshmallow man is on the rampage again.

        It is kind of like nuclear missile launching, the root of a certificate authority, the root of a financial processing crypto scheme, etc.

        More seriously, I WISH those examples were as well thought out as the DNSSEC root signing key is.

    • To help reduce DNS spoofing and other shenanigans, DNS records can be digitally signed. For example, Slashdot.org could be signed by the folks who run the dot-org registry, whose keys are in turn signed by the root zone operators. It all chains up to a single root key that is widely trusted by DNS servers.

      For security reasons, the root periodically replaces their signing key. Since the entire internet relies on this and consequences of misuse of that key are very high, they have a formal ceremony with peopl

  • They rejected my idea to cut up the old key with giant novelty scissors.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...